Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 10715 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Installer Crashes on Reinstall

Playa Mizusy

Hello, i keep having this Problem when re-installing Sohpos on my Win 10 Computer. It worked some Time before, but after i had to reinstall it (due to failing Updates) the Installer wont even start. I already tried removing Registry Keys and such with this Script > https://gist.github.com/Coopeh/8470068 and checked that the Installer correctly downloaded.

Normally the Installer creates Logs, well not in this Case so the Windows Log and a Dependency Walker Analysis is the only thing i can provide.

Dependency Walker Report > https://pastebin.com/jTKemKyw

The Windows Error Log says this:

"Name of the failing Application: Setup.exe_Sophos Setup, Version: 1.1.19.0, Timestamp: 0x5a1dc4f7
Name of the failing Module: Setup.exe, Version: 1.1.19.0, Timestamp: 0x5a1dc4f7
Exceptioncode: 0xc0000409
Erroroffset: 0x00074072
ID of the failing Process: 0x5b4
Starttime of the failing Application: 0x01d3fd18676f9b16
Path of the failing Application: C:\Users\Playa\AppData\Local\Temp\sfl-d8d16000\Setup.exe
Path of the failing Module: C:\Users\Playa\AppData\Local\Temp\sfl-d8d16000\Setup.exe
Report-ID: 9d4afdeb-8539-4ad4-adcc-459dd3f52e7e
Complete Name of the failing Package:
Application-ID, which is relative to the failing Package:"

This is the XML Output of the Event:

"- <Event xmlns="schemas.microsoft.com/.../event">

- <System>
  <Provider Name="Application Error" />
  <EventID Qualifiers="0">1000</EventID>
  <Level>2</Level>
  <Task>100</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2018-06-05T21:58:58.505578300Z" />
  <EventRecordID>110584</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Playa</Computer>
  <Security />
  </System>
- <EventData>
  <Data>Setup.exe_Sophos Setup</Data>
  <Data>1.1.19.0</Data>
  <Data>5a1dc4f7</Data>
  <Data>Setup.exe</Data>
  <Data>1.1.19.0</Data>
  <Data>5a1dc4f7</Data>
  <Data>c0000409</Data>
  <Data>00074072</Data>
  <Data>5b4</Data>
  <Data>01d3fd18676f9b16</Data>
  <Data>C:\Users\Playa\AppData\Local\Temp\sfl-d8d16000\Setup.exe</Data>
  <Data>C:\Users\Playa\AppData\Local\Temp\sfl-d8d16000\Setup.exe</Data>
  <Data>9d4afdeb-8539-4ad4-adcc-459dd3f52e7e</Data>
  <Data />
  <Data />
  </EventData>
  </Event>"
 
THX


This thread was automatically locked due to age.
  • 0

    I have ran into this same type of failing to install issue.

    About 50% of the time I can get Sophos to reinstall and the other time I have to go back to tried and trued ole reliable Mcafee Enterprise to get anti-virus on the PC until the desktop tech can re-image the PC.

    Here are some of my steps.  There is not implied success with these steps and deleting can always have a negative impact on your PC.

    Disable UAC before the install

    Disable firewall before the install

    Make sure the wind is not blowing

    Make sure you user account is in the local administrators group.  Note Sophos doesn't support nested security groups.

    Uninstall sophos and if that any fail that is OK.  Well kinda.

    Use the Microsoft force uninstall program.  A google search will find it.

    Run MS uninstall program and remove the pieces of sophos that would not uninstall

    Check to make sure wind is still not blowing.

    Restart PC.

    Check to make sure sophos is gone from add/remove program.

    check to make sure all of the sophos services are gone.

    If any service are still listed you will need to force remove/uninstall them.  Google for the DOS commands.

    Now you can delete all of the sophos folders.  Program Files, Program Files (x86) and ProgramData.

    Restart PC.

    Search registry for all forms of sophos.  I have found that not all need to be delete as there is a bunch.

    I like to install CCleaner, free version, and clean up the PC.

    Restart PC

    Try a install sophos.

     

    Here is an older script that can help with remove sophos.

    Run it before you search the registry.

    net stop "Sophos Anti-Virus"
     net stop "Sophos AutoUpdate Service"
     "C:\program files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
     :Sophos AutoUpdate
     MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress
     :Sophos Anti-Virus (Endpoint)
     MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress
     :Sophos Anti-Virus (Server)
     MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
     :Sophos System Protection
     MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
     :Sophos Network Threat Protection
     MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
     :Sophos Health
     MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress
     :SDU (1.x)
     MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
     :Heartbeat
     MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
     :Sophos Management Communications System
     MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
     MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress
     :UI
     MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress
     :SophosClean
     "C:\Program Files\Sophos\Clean\uninstall.exe"
     :SED
     "C:\Program Files\Sophos\Endpoint Defense\uninstall.exe" /quiet
     :HMPA (managed) 3.5.3.563
     "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
     :HMPA 1.0.0.699
     "C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe" /uninstall /quiet
     :HMPA 3.7.14.265
     "C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet

     

     

  • 0 in reply to Navar Holmes

    Disable UAC before the install - Done

    Disable firewall before the install - Done

    Make sure the wind is not blowing - Its sunny outside

    Make sure you user account is in the local administrators group.  Note Sophos doesn't support nested security groups. - Just a single User on this PC which is the Admin

    Run MS uninstall program and remove the pieces of sophos that would not uninstall - Nothing found with FixIt

    Check to make sure wind is still not blowing. - Still sunny here

    Restart PC. - Done

    Check to make sure sophos is gone from add/remove program. - Of course (since FixIt also dosent show anything)

    check to make sure all of the sophos services are gone. - No Services found

    Now you can delete all of the sophos folders.  Program Files, Program Files (x86) and ProgramData. - Everything Search shows nothing

    Restart PC. - Done

    Search registry for all forms of sophos.  I have found that not all need to be delete as there is a bunch. - Yop, there is

    I like to install CCleaner, free version, and clean up the PC. - Registry Errors fixed, Temp Folders cleared etc. etc.

    Restart PC - Done

    Here is an older script that can help with remove sophos. - Done

     

    Try a install sophos. - Tryed, not working :C

  • 0 in reply to Playa Mizusy

    If the process is crashing, a memory dump of the process is your best bet.  I would suggest the following:

    Admin command prompt:

    mkdir C:\dumps

    Download procdump to that dir from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 

    run:
    procdump -ma -i C:\dumps

    Reproduce the issue and you should have a dump file for this process.

    Feel free to attach it here.

    Regards,
    Jak

  • 0 in reply to jak

    Done, i dont have any symbols so i cant do much with them.

    SophosSetup.exe Dump > www.dropbox.com/.../SophosSetup.exe_180606_230622.dmp

    Setup.exe Dump > www.dropbox.com/.../Setup.exe_180606_230641.dmp

  • 0 in reply to Playa Mizusy

    Were those dumps created as the process crashed, it doesn't seem so.

    When you run the following command to install Procdump:

    procdump -ma -i C:\dumps

    you get something like the following printer back:

    ProcDump v9.0 - Sysinternals process dump utility
    Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
    Sysinternals - www.sysinternals.com

    Set to:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
    (REG_SZ) Auto = 1
    (REG_SZ) Debugger = "C:\dumps\procdump.exe" -accepteula -ma -j "C:\dumps" %ld %ld %p

    Set to:
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
    (REG_SZ) Auto = 1
    (REG_SZ) Debugger = "C:\dumps\procdump.exe" -accepteula -ma -j "C:\dumps" %ld %ld %p

    ProcDump is now set as the Just-in-time (AeDebug) debugger.

    When a process then crashes, when you open up the dump file in Windg, it has a comment such as:

    Comment: '
*** "C:\dumps\procdump.exe" -accepteula -ma -j "C:\dumps" 18652 556 00690000
*** Just-In-Time debugger. PID: 18652 Event Handle: 556 JIT Context: .jdinfo 0x690000'

    In the dumps you provided it says:

    *** C:\dumps\procdump64.exe  Setup.exe
*** Manual dump'

    Which suggests you just ran:

    procdump64.exe setup.exe 
    just to create a manual dump at a random time.  This doesn't capture the exception.  All I can tell from that is the modules loaded by the process really. I do see that "C:\Program Files\AVAST Software\Avast\aswhookx.dll" is loaded into SophosSetup.exe but that's all of note given the dump.  Does the issue happen with Avast removed?  Maybe a dump of the crash would be useful.

    Regards,
    Jak

  • 0 in reply to jak

    Okay, i got what you ment. Yea, i loaded Avast yesterday cause i couldent get the installer to work before and beeing unprotected is bad.

    The Debugger Captured 3 Files (which optical seem identical), feel free to take a look > www.dropbox.com/.../dumps.7z

  • 0 in reply to Playa Mizusy

    Out of interest, if you temporarily rename these files so they aren't loaded by setup.exe, does it work?

    C:\Program Files\Lenovo\Bluetooth Software\syswow64\BtMmHook.dll
    C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor

    Regards,
    Jak

  • 0 in reply to jak

    I wonder how that Driver got on my PC, i guess Win 10 did Crap - Uninstalled

    I also deactivated amBX without success

Unfiltered HTML